T1574.001 Google Chronicle · YARA-L

Detect DLL in Google Chronicle

Adversaries may abuse dynamic-link library (DLL) mechanisms to achieve persistence, privilege escalation, and defense evasion. Techniques include DLL search order hijacking (planting a malicious DLL earlier in the search path), DLL side-loading (placing a malicious DLL alongside a legitimate signed executable), phantom DLL hijacking (targeting references to non-existent DLLs), DLL substitution (replacing a valid DLL), and DLL redirection (using .manifest or .local files). Groups including Chimera, TONESHELL/Mustang Panda, Velvet Ant, APT41, and Aquatic Panda have extensively used these techniques to load malicious payloads under trusted process contexts.

MITRE ATT&CK

Tactic
Persistence Privilege Escalation Defense Evasion
Technique
T1574 Hijack Execution Flow
Sub-technique
T1574.001 DLL
Canonical reference
https://attack.mitre.org/techniques/T1574/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1574_001_dll_hijacking_sideloading {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DLL search order hijacking or side-loading where a trusted high-integrity process loads an unsigned or suspicious DLL from a user-writable path (T1574.001)"
    mitre_attack_tactic = "Defense Evasion, Persistence, Privilege Escalation"
    mitre_attack_technique = "T1574.001"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_MODULE_LOAD"
    $e.principal.process.file.full_path = /(?i)(\\windows\\system32\\|\\windows\\syswow64\\|\\program files)/
    (
      $e.target.file.full_path = /(?i)\\appdata\\local\\temp\\/ or
      $e.target.file.full_path = /(?i)\\appdata\\roaming\\/ or
      $e.target.file.full_path = /(?i)\\programdata\\/ or
      $e.target.file.full_path = /(?i)\\users\\public\\/ or
      $e.target.file.full_path = /(?i)\\windows\\temp\\/
    )
    not $e.target.file.full_path = /(?i)(\\windows\\system32\\|\\windows\\syswow64\\|\\program files)/
    (
      $e.target.file.pe_file.code_signature.signed = false or
      $e.target.file.pe_file.code_signature.signature_status != "SIGNATURE_VALID"
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1574.001 DLL hijacking by matching PROCESS_MODULE_LOAD events where a trusted process (System32, SysWOW64, or Program Files) loads an unsigned or invalidly-signed DLL from a suspicious writable path such as AppData, ProgramData, or Windows\Temp. Covers DLL search order hijacking, side-loading, and phantom DLL attacks.

Data Sources

Google Chronicle UDMWindows Endpoint TelemetrySysmon via Chronicle forwarder

Required Tables

PROCESS_MODULE_LOAD UDM events

False Positives & Tuning

  • Enterprise deployment tools that stage self-signed or internally-signed DLLs in ProgramData before a System32 process loads them as part of a sanctioned deployment workflow
  • Remote monitoring and management (RMM) agents that operate from non-standard paths and load helper modules under a trusted parent process context
  • Browser extension mechanisms or plugin frameworks where a signed browser loads extension DLLs from user profile AppData directories
Download portable Sigma rule (.yml)

Other platforms for T1574.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DLL Search Order Hijacking via Phantom DLL

    Expected signal: Sysmon Event ID 11 (FileCreate): Target file path containing 'dll-hijack-test\cryptsp.dll'. Sysmon Event ID 7 (ImageLoad) if the DLL is loaded. Process creation events showing calc.exe running from a non-standard path.

  2. Test 2DLL Side-Loading with Legitimate Signed Binary

    Expected signal: Sysmon Event ID 11 (FileCreate): Legitimate executable copied to TEMP directory. Sysmon Event ID 1 (Process Create): Process launched from TEMP instead of its legitimate System32 home. File creation events in the temp directory.

  3. Test 3DLL Redirection via .local File

    Expected signal: Sysmon Event ID 11 (FileCreate): .local file created alongside a legitimate executable copy. The presence of [executable].local causes Windows to prioritize the application's directory for all DLL searches, enabling DLL hijacking of any DLL that calc.exe imports.

Last updated: 2026-04-21 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1574.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1574Hijack Execution Flow

Related Sub-techniques

T1574.004Dylib HijackingT1574.005Executable Installer File Permissions WeaknessT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1574.008Path Interception by Search Order HijackingT1574.009Path Interception by Unquoted PathT1574.010Services File Permissions WeaknessT1574.011Services Registry Permissions WeaknessT1574.012COR_PROFILERT1574.013KernelCallbackTableT1574.014AppDomainManager

Related Techniques

T1574Hijack Execution FlowT1574.002DLL Side-LoadingT1055Process InjectionT1218.011Rundll32T1036.005Match Legitimate Resource Name or LocationT1543.003Windows ServiceT1027.009Embedded PayloadsT1070.006Timestomp

Same Tactic: Persistence

Popular Detections